Ipsec實現***
IPSec簡介:IPSec 是一系列網絡安全協議的總稱,它是由IETF(Internet 工程任務組)開發的,可爲通訊雙方提供訪問控制、無連接的完整性、數據來源認證、反重放、加密以及對數據流分類加密等服務。它是網絡層的安全機制,通過對網絡層包信息的保護,上層應用程序即使沒有實現安全性,也能夠自動從網絡層提供的安全性中獲益。這打消了人們對×××安全性的顧慮,使得××× 得以廣泛應用。IPSec的工作方式有兩種;傳輸方式;隧道方式。
IPSec對報文的處理過程分析:
爲了實現數據包在IP層的安全,IPSec通過加密和數據驗證等方式來保證數據報在網絡上傳輸時的保密性、完整性、真實性、抗重播。爲了實現上面的4個目標,
IPSec通過兩種安全協議:AH(認證頭)和ESP(封裝安全載荷)。
下面通過一張圖來對比分析一下這兩種協議:
【AH】
傳輸方式下:
當原始數據包在網絡層傳輸時,在原始IP頭部和TCP頭部之間加入AH協議頭, 原始的IP頭部沒有變化。
隧道方式下:
當原始數據包在網絡層傳輸時, 原始的IP頭被新的IP頭部所替換掉,又在新的IP頭和TCP頭部之間加入了AH協議頭部。
【ESP】
傳輸方式下:
當原始數據包在網絡層傳輸時,在原始IP頭部和TCP頭部之間加入ESP協議頭, 原始的IP頭部沒有變化。
隧道方式下:
當原始數據包在網絡層傳輸時, 原始的IP頭被新的IP頭部所替換掉,又在新的IP頭和TCP頭部之間加入了ESP協議頭部。
【總結】
從安全性來講,隧道模式優於傳輸模式。它可以完全地對原始ip數據報進行驗證和加密;此外,可以使用IPSec對等體的IP地址來隱藏客戶機的ip地址。從性能來講,隧道模式比傳輸模式佔用更多的帶寬,因爲它有一個額外的ip頭部。
安全聯盟【SA】:安全聯盟是IPSec的基礎,也是IPSec的本質。SA是單向的、在兩個對等體之間的雙向通信,最少需要兩個安全聯盟來分別對兩個方向的數據流進行安全保護。有兩種方式來建立安全聯盟:一種是Manual(手工方式);另一種是IKE(自動協商)。
下面來通過一個實驗來介紹一下。
【實驗拓撲圖】
配置步驟:
Step1:定義被保護的數據流(acl)
Step2:定義安全提議
①IPSec工作方式選擇:transport(傳輸方式)/tunnel(隧道方式)【默認】
②選擇安全協議類型:AH(認證頭)/ESP(封裝安全載荷)
③在選擇的協議類型下選擇相應的加密算法和認證算法。
AH----> authentication-algorithm MD5/SHA1
ESP---->authentication-algorithm MD5/SHA1
----->encryption-algorithm DES/3DES/AES
Step3:定義安全策略(安全策略組) ------>實現acl和安全提議的綁定
Step4: 接口應用安全策略 ----->在接口上應用策略
配置參考:
FW-1配置
[fw1]dis cu
#
sysname fw1
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ipsec proposal tranl
#
ipsec policy policy1 10 manual
security acl 3000
proposal tranl
tunnel local 1.1.1.1
tunnel remote 1.1.2.1
sa spi inbound esp 54321
sa string-key inbound esp abcdefg
sa spi outbound esp 12345
sa string-key outbound esp gfedcba
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.1.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/4
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[fw1]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {Ethernet0/4}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 10
mode: manual
-----------------------------
security data flow : 3000
selector mode: standard
tunnel local address: 1.1.1.1
tunnel remote address: 1.1.2.1
proposal name:tranl
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 54321 (0xd431)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
FW-2配置
[fw2]dis cu
#
sysname fw2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
ipsec proposal tranl
#
ipsec policy policy1 10 manual
security acl 3000
proposal tranl
tunnel local 1.1.2.1
tunnel remote 1.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp gfedcba
sa spi outbound esp 54321
sa string-key outbound esp abcdefg
#
acl number 3000 match-order auto
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 20 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
loopback
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
ip address 1.1.2.1 255.255.255.0
ipsec policy policy1
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/4
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[fw2]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {Ethernet0/4}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 10
mode: manual
-----------------------------
security data flow : 3000
selector mode: standard
tunnel local address: 1.1.2.1
tunnel remote address: 1.1.1.1
proposal name:tranl
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 12345 (0x3039)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 54321 (0xd431)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
交換機配置
<Quidway>dis cu
#
sysname Quidway
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 24
#
interface Vlan-interface1
#
interface Vlan-interface10
ip address 1.1.1.2 255.255.255.0
#
interface Vlan-interface20
ip address 1.1.2.2 255.255.255.0
#
interface Vlan-interface24
ip address 1.1.3.2 255.255.255.0
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
port access vlan 10
#
interface Ethernet0/11
#
interface Ethernet0/12
#
interface Ethernet0/13
#
interface Ethernet0/14
#
interface Ethernet0/15
#
interface Ethernet0/16
#
interface Ethernet0/17
#
interface Ethernet0/18
#
interface Ethernet0/19
#
interface Ethernet0/20
port access vlan 20
#
interface Ethernet0/21
#
interface Ethernet0/22
#
interface Ethernet0/23
#
interface Ethernet0/24
port access vlan 24
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
#
return
測試結果:
Ping: